2

In spring framework we have something like below to escape html characters

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

I also want to add a custom class which can also escape characters like

!"#$%&*+/:;=?@[]^`{|}~\

is there a class in Spring framework to do this?(I think, NO) If not, I can have utility class which can convert all the characters.

Used the utility class like a filter to encode the values(input validation)

I want to know If I can use the same filter to encode for output as well? issue is output still shows the same as entered value instead of encoding like &amp;LT; for <. Any suggestions are greatly appreciated!

user1609085
  • 855
  • 3
  • 17
  • 33
  • I don't understand your question. Parameter `defaultHtmlEscape` is for JSP tags like `` or ``. It makes them convert character unsafe for HTML to HTML entities (e.g. `&` => `&`) before writing their value to output. How is this functionality connected to the custom characters you have mentioned? How do want to escape them? Where do you want to use this functionality? – Pavel Horal Jan 21 '14 at 12:24
  • you are right ` It makes them convert character unsafe for HTML to HTML entities (e.g. & => &) before writing their value to output`. I want to know if there is something I can do to convert special characters as well in ouput. – user1609085 Jan 21 '14 at 12:56
  • Please rephrase your question. It is not clear what you are asking! You can not ask for a generic *escaping functionality* if you don't specify what type of escaping you want. Or better - write the whole use case or issue you are solving. – Pavel Horal Jan 21 '14 at 15:23
  • Not asking for a generic escaping functionality (which I already have). Want to know about the output encoding for special characters in spring mvc – user1609085 Jan 21 '14 at 16:01
  • Still not clear. Why would you want Spring to escape `!` or `#` (and other characters you mention in your question, except for `&`) in HTML output? They are not symbols with any special meaning in HTML. – Pavel Horal Jan 21 '14 at 16:02
  • `defaultHtmlEscape` from spring which escapes html characters. Security team wants us to escape those special characters as well in the output. – user1609085 Jan 21 '14 at 16:12
  • So you want to forcefully encode selected characters to numeric HTML entities. That is hell of a "security" requirement, which I don't really understand (and application security is pretty much my area of expertise). Is there a chance that you have misinterpreted these requirements? http://www.w3.org/TR/html4/charset.html#h-5.3.1 – Pavel Horal Jan 21 '14 at 16:50
  • Btw. you can tamper with the escaping logic if you override this file - https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/resources/org/springframework/web/util/HtmlCharacterEntityReferences.properties . But note, that this is from *'hacking the framework'* category. – Pavel Horal Jan 21 '14 at 16:53
  • Literally they asked to escape all characters except AlphaNumeric.. – user1609085 Jan 21 '14 at 17:03
  • 1
    Pardon me, but that is nonsense. **NO** web application I've ever seen does this. And there is reason for that ---> **it is nonsense**. That would not improve any security at all. – Pavel Horal Jan 21 '14 at 23:18
  • instead of calling it as `escape` I would say they want to encode – user1609085 Jan 22 '14 at 15:48

2 Answers2

4

Maybe you can use Apache commons for this. It have utils for both escape and unescape

Vinay Lodha
  • 2,185
  • 20
  • 29
1

You can add a custom class and use StringEscapeUtils function.

Sample code:

import org.apache.commons.lang.StringEscapeUtils;

public class CustomClass
{

    public static void main(String args[]){

        String testStr = "< > \" &";

        System.out.println("Original : " + testStr);

        System.out.println("Escaped : " + StringEscapeUtils.escapeHtml(testStr));

    }   
}

Reference: http://www.mkyong.com/java/how-to-escape-special-characters-in-java/

Jirilmon
  • 1,924
  • 1
  • 12
  • 13